Counter-Strike Team Fortress 2 How Cheats Work

Mooshua

Vine-Ripened, non-GMO, and USDA Certified Organic.
Tech
This is a living document! Please consider checking back every once in a while in case we've made adjustments, corrections, or added new content :)

Cheats are nifty little things. Cheaters, of course, are not. So it's about time you silly little gooses learned what they do and how to spot them in order to sweep those little buggers off of our servers.

Yes, cheaters can see when you spectate them.

It's a thing. Some cheats will even turn off features automatically when the cheater is being spectated. So while you're welcome to spectate cheaters, just know that if someone really is injected there is a good chance they will know you're breathing down their neck :)

(It's theoretically possible to prevent cheaters from knowing you are spectating them, but it's a lot of work and we haven't had the chance to sit down and truly evaluate it's feasibility)

Netcode
[Extra Reading - Background Information]


1717297698317.jpeg
Oh yeah, it's netcode time. Source engine netcode is pretty interesting: simultaneously being extremely resilient and quite forgiving. At the heart of Source engine netcode is the UserCmd. One UserCmd is created per tick, which contains the player's buttons (attack, move left, switch weapon, etc), aim direction, and velocity, among other things. The server processes all new UserCmds every tick, but it rewinds the server to the point where the tick was sent, not the current tick that the server is running on. This process is called prediction.

The process of predicting a player is fairly complex, and actually fully rewinds all other players (and relevant entities) to the position that the player should have seen. It does this by taking note of each player's latencies and tries to find the last tick the server sent to the player that the player has received. In other words, the server is very much trying to accurately guess exactly what the player is seeing.

However, things can (and do!) go wrong. Packets are often received out of order, dropped, or choked when the client or server isn't able to send the packet within the bandwidth target. (Choking means that the packet is being held onto). Furthermore, every UserCmd comes with several backup cmds in case a single packet was lost; these can be used to get the last few movement commands from a player if the server didn't get them in time.

To summarize, source engine networking is complex. In fact, I probably didn't get all of this right (please correct me! I love corrections!!), and this complexity is harnessed by cheaters to go about their daily, annoying-$%& business.

Keeping it correct: Yes there are several different timing mechanisms involved in source netcode. To keep this simple, we will treat the engine as if it always sends exactly one snapshot/update/whatever per tick. If you play on our servers, and most source-engine servers in existence, this is always the case.

Anti-Aim

1717293394970.png

There are many ways to go about adding anti-aim to a cheat, but ultimately all an anti-aim does is de-synchronize the model that the server sees with the model that other clients see. This can work because the server isn't always perfect about which packet it gets it's movement information from, and it also isn't always perfect when it comes to sanitizing user input before touching it.

For example, the logic that handles player view angles doesn't lock the view angles to reasonable values (-90< x < 90), but the networking code does properly handle these angles. As a result, players can see cheaters rotated at 90 degrees, while the server sees the cheater at 180 degrees. No bueno!

One very creative form of anti-aim was found in the animation system using packet chokes. While the latest choked packet is sent to other players, the first choked packet is what's used by the animation system to place the player's hitbox in the world. Thus, players could literally give specifically the server a different view angle, without the players seeing any indication that the player was cheating!

[TF2] In TF2, anti-aim sometimes takes the form of anti-backstab, where the client sends illegal angles that can prevent a spy from backstabbing them (due to weird math weirdness). The spy, unfortunately, will be none the wiser and will just think they lagged out.

Luckily, some forms of anti-aim are detected by server-side anti-cheats, and many have been patched by valve over the years. (Official CS:GO servers used to detect some forms of anti-aim, presumably to help build VACnet!) Today anti-aiming is mostly only found in hack-vs-hack servers, or only very slightly used in "legit" cheating.

Aimbot

The sauce, the goodness: It's time for Aimbot! Aimbot is one of the easiest and hardest forms of cheating to detect; for some players it's clear as day, but for others it can take a little bit of a deep dive.

Aimbots, of course, move the player's mouse to point at an enemy player's hitbox. However, the exact details are handled by different cheats in different ways:
  • How do we move the mouse? Do we do an instant snap, or do we move it slowly to make it look like a real player?
  • Where specifically do we aim at? Do we always pick the head, or will we sometimes aim at the chest or a leg to throw players off?
  • When do we shoot? Do we let the player do the honors, or do we just simulate a mouse press ourselves?
  • How much will we move the player's mouse? Will we only snap to players close to the mouse, or will we risk being outed as a cheater and make wider movements to hit enemies?
Aimbots also have the freedom of choosing what tick to shoot on (if they haven't already sent a usercmd for that tick), and can use this to do annoying things like combine choking, fakelag, and backtracking to shoot without the victim ever seeing them. More on that later!

[Spot it!]
"Legitimate" aimbot (such as smoothed aim or removing recoil) is hard to spot. But you should still keep your eye out for the obvious cases:
  • Aim Snap, where the cheat enables the aimbot for one tick only to fire a perfect shot
  • Silent Aim, similar to aim snap, but when the aimbot then snaps back to where the player was originally looking to make it seem as if they never switched directions at all.

Airstuck Exploits

"Airstuck" is a broad term for exploits that allow the client to not move for extended periods of time. The client can effectively "freeze" it's momentum and stay in place until the cheat allows it to unfreeze. The most common form of airstuck is simply not sending any usercmds (not choking--just sending none at all) while still maintaining the connection.

Airstuck is mostly used in HvH and rage cheat contexts, and is rarely used stealthily.

[TF2] Airstuck is patched on Team Fortress 2, but can still be used for short periods of time (~5s)

[CSS] Airstuck is unpatched (to the best of my knowledge!) in Counter-Strike Source. Keep a look out for clients hovering slightly above the ground for extended periods of time! (Be sure there isn't an invisible clip brush there, too)

Lag Exploits

The bread and butter of annoying-$&$ cheaters: lagging the server. Because these $&%*$# wont leave us alone. C'mon, guys, find something better to do.

Lag exploits take one or two paths, depending on what the server will allow a player to do
  • Log spam: Printing messages to the server log isn't cheap, so if a player can get thousands or tens of thousands of logs to be written in a single tick, that could cause some noticeable disruption. We had this issue a lot in CSGO: cheaters found a way to print tens of thousands of log messages with a single packet. The lovely reverse engineer backwards found the patch for this, and it was used happily on our servers until the death of CSGO.
  • Packet Spam: By default, the source engine server just lets you send as many packets as you please. This can cause issues in the server code that handles the packets. This happened recently on our Dust 2 server, where cheaters spammed voice packets that caused our auto-muting system to lag out the server.
In general, there's not a lot you wee little moderators can do to fix lag exploits. Let a system administrator (aka, tech) know if you think the server is being lagged; we have lots of tools we can use to diagnose and patch open exploits.

ESP

Yeah, so there's pretty much nothing you can do to truly detect ESP, besides looking for suspicious behavior. But still, we should talk about some common misconceptions:
  • Tracking players through walls means someone has ESP
    This is just not true, many completely legitimate players trace people through walls as part of their normal gameplay. In addition, some "legit" cheats will intentionally hide players until they are just around a corner, to prevent players from acting suspiciously.
  • [CSS] Seeing through a flashbang means a player has anti-flash!
    This really, really depends. Sure, they could be cheating, but there's also a myriad of cases that can cause a flash to spontaneously not register. In fact, there are some cases where you are spectating a player being flashbanged and only one of you ends up actually being flashed!
  • ESP always means seeing through walls
    Several professional cheaters have been accused of cheating by using a very subtle aimbot as a form of ESP; as in they would press a key to have their mouse slowly move to point towards the nearest player, to reveal their location. Some TF2 cheats include a feature that flashes a warning when an enemy spy approaches you from behind. ESP doesn't always come in the outlines-through-walls form you'd think of!

Fakelag

Fakelag is a technique that takes advantage of choking. Essentially, players will only send their packets X times a second instead of once every tick, and will choke packets to prevent them from being sent prematurely. The server will properly fast-forward the player in time, including all their actions they took while choked! Players will see this as the cheater "teleporting" or lagging across the map as they move.

Unlike the game's built in "fake lag" used for testing, Fakelag cheats will prevent packets from being sent rather than artificially adding latency. (although they can, of course, do this too)

Fakelag is rarely used in "legitimate" settings, and is mostly used in hack vs hack contexts to try and confuse other cheats (or teleport around corners instantly without giving other cheaters time to react!)

[Spot It!]
If you see a player "Teleporting" across the map, they are probably using fakelag.


A cheater plays against another cheater using fakelag. Video from d3m0man used under fair use

Fake Latency

Fake latency simply adds latency to outgoing packets (but not incoming ones!), which can be used for a variety of legit and rage cheating methods. Since the latency is only on outgoing packets, the client will still see game updates in real time, unlike a true laggy player. [TF2] For example, fake latency is often used in combination with auto-backstabs in Team Fortress 2 to ""trickstab"" players.

Some cheats with fake latency support will be lazy and won't add a random jitter to the latency. If you see a player that is hard-stuck on a specific latency (for example, it stays 137 or 52 the entire time, not changing once!) then you should keep your eyes out, they could be using fake latency!

Note that it is very unusual for legitimate players to have latencies over 200; look closer if you spot this in-game. [TF2] Spies with latencies over 400 are probably cheating.

(Please don't ban players just for a stable latency. Having a stable ping is also a totally normal phenomenon)

Backtrack

Backtracking is a subtle form of cheating where a client artificially increases their latency for one command to throw off lag compensation. As a result of the increased latency, the game will search father back in time to find an appropriate tick to rewind too, thus giving the "backtrack" effect. (The client can also forward track by tricking the server into choosing a more recent tick to rewind to, but that's a whole other can of worms).

Since backtracking can occur both forwards and backwards, many weird hits (such as those hitting players that have not yet peeked around a corner, or those that have just dived behind cover) could be backtracks. However, they also could have just been good shots :)

[TF2] In team fortress 2, backtrack is frequently used by cheating spies to enable them to hit more egregious backstabs. However, not all suspicious backstabs (or "facestabs") are backtracks; TF2 is just weird sometimes. A recurring pattern of weird stabs, though, should be investigated.

(Backtrack in combination with fake latency, when well configured, will be very difficult to spot!)

[Spot It!]
Backtracking is tricky to spot. In general, if you have the same or similar ping as another player, you should generally see the player hitting shots that make sense to you. For example, if you both have 30 ping and you are seeing lots of backtracks in spectate, that is a sign that you should look closer.
 
Thanks for the article Mooshuaz

This reminds me of the thread I follow on Reddit,
Explain Like I’m Five.
 
For ESP, I always suspected some players could see through walls. It's infuriating when you're carefully sneaking around, only to be pre-fired by someone who seems to know exactly where you are. Now I understand how these cheats work and how they can sometimes be subtle, like using smoothed aim to avoid looking suspicious.
If you're still hunting for ways to protect your gaming experience, you might want to try using an HWID spoofer. It can mask or change your Hardware ID, which I use for security reasons. I had some issues with getting unfairly banned once, and using a spoofer helped me get back into the game safely. You can check out this link for more details: https://www.cado-lolscript.com/hwid-spoofer
 
Last edited:
Back
Top